Linux HackTool Execution
Detects known hacktool execution based on image name.
Sigma rule (View on GitHub)
1title: Linux HackTool Execution
2id: a015e032-146d-4717-8944-7a1884122111
3status: test
4description: Detects known hacktool execution based on image name.
5references:
6 - https://github.com/Gui774ume/ebpfkit
7 - https://github.com/pathtofile/bad-bpf
8 - https://github.com/carlospolop/PEASS-ng
9 - https://github.com/t3l3machus/hoaxshell
10 - https://github.com/t3l3machus/Villain
11 - https://github.com/HavocFramework/Havoc
12 - https://github.com/1N3/Sn1per
13 - https://github.com/Ne0nd0g/merlin
14 - https://github.com/Pennyw0rth/NetExec/
15author: Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure])
16date: 2023-01-03
17modified: 2024-09-19
18tags:
19 - attack.execution
20 - attack.resource-development
21 - attack.t1587
22logsource:
23 product: linux
24 category: process_creation
25detection:
26 selection_c2_frameworks:
27 Image|endswith:
28 - '/crackmapexec'
29 - '/havoc'
30 - '/merlin-agent'
31 - '/merlinServer-Linux-x64'
32 - '/msfconsole'
33 - '/msfvenom'
34 - '/ps-empire server'
35 - '/ps-empire'
36 - '/sliver-client'
37 - '/sliver-server'
38 - '/Villain.py'
39 selection_c2_framework_cobaltstrike:
40 Image|contains:
41 - '/cobaltstrike'
42 - '/teamserver'
43 selection_scanners:
44 Image|endswith:
45 - '/autorecon'
46 - '/httpx'
47 - '/legion'
48 - '/naabu'
49 - '/netdiscover'
50 - '/nuclei'
51 - '/recon-ng'
52 selection_scanners_sniper:
53 Image|contains: '/sniper'
54 selection_web_enum:
55 Image|endswith:
56 - '/dirb'
57 - '/dirbuster'
58 - '/eyewitness'
59 - '/feroxbuster'
60 - '/ffuf'
61 - '/gobuster'
62 - '/wfuzz'
63 - '/whatweb'
64 selection_web_vuln:
65 Image|endswith:
66 - '/joomscan'
67 - '/nikto'
68 - '/wpscan'
69 selection_exploit_tools:
70 Image|endswith:
71 - '/aircrack-ng'
72 - '/bloodhound-python'
73 - '/bpfdos'
74 - '/ebpfki'
75 - '/evil-winrm'
76 - '/hashcat'
77 - '/hoaxshell.py'
78 - '/hydra'
79 - '/john'
80 - '/ncrack'
81 # default binary: https://github.com/Pennyw0rth/NetExec/releases/download/v1.0.0/nxc-ubuntu-latest
82 - '/nxc-ubuntu-latest'
83 - '/pidhide'
84 - '/pspy32'
85 - '/pspy32s'
86 - '/pspy64'
87 - '/pspy64s'
88 - '/setoolkit'
89 - '/sqlmap'
90 - '/writeblocker'
91 selection_linpeas:
92 # covers: all linux versions listed here: https://github.com/carlospolop/PEASS-ng/releases
93 Image|contains: '/linpeas'
94 condition: 1 of selection_*
95falsepositives:
96 - Unlikely
97level: high
References
-
ebpfkit is a rootkit powered by eBPF. Contribute to Gui774ume/ebpfkit development by creating an account on GitHub.
Read More -
A collection of eBPF programs demonstrating bad behavior, presented at DEF CON 29 - GitHub - pathtofile/bad-bpf: A collection of eBPF programs demonstrating bad behavior, presented at DEF CON 29
Read More -
-
A Windows reverse shell payload generator and handler that abuses the http(s) protocol to establish a beacon-like reverse shell. - t3l3machus/hoaxshell
Read More -
Villain is a high level stage 0/1 C2 framework that can handle multiple reverse TCP & HoaxShell-based shells, enhance their functionality with additional features (commands, utilities) and shar...
Read More -
The Havoc Framework. Contribute to HavocFramework/Havoc development by creating an account on GitHub.
Read More -
Attack Surface Management Platform. Contribute to 1N3/Sn1per development by creating an account on GitHub.
Read More -
Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang. - Ne0nd0g/merlin
Read More -
The Network Execution Tool. Contribute to Pennyw0rth/NetExec development by creating an account on GitHub.
Read More
Related rules
- CVE-2021-1675 Print Spooler Exploitation Filename Pattern
- FoggyWeb Backdoor DLL Loading
- HackTool - PurpleSharp Execution
- PUA - CsExec Execution
- Program Executions in Suspicious Folders